The identity lifecycle management (ILM) process involves managing user identities and their access privileges from the beginning to the end of their involvement with your organization. <\/p>\n\n\n\n
This process begins on an employee\u2019s first day and continues throughout their employment, specifically when they change roles or need their access privileges altered. The process eventually ends once they have departed from your organization, all access has been revoked, and their digital identity is suspended, permanently revoked, or deleted entirely.<\/p>\n\n\n\n\n
\n <\/p>\n
\n Check out our webinar on practical tips for managing the user identity lifecycle. <\/p>\n <\/div>\n
The phases within the identity lifecycle management process are:<\/p>\n\n\n\n
The first step in managing the identity lifecycle is to create the digital identity that will be managed moving forward. Digital identity creation usually happens shortly before or on a new employee\u2019s first day. The first iteration of their digital identity is often created in HR\u2019s software which is commonly referred to as an HRIS tool.<\/p>\n\n\n\n
HR gathers the relevant information from the new employee, uses it to create their digital identity, and associates a role or title to that identity. <\/p>\n\n\n\n
Once the new employee has an active digital identity in HR\u2019s software, it must also be created within IT\u2019s software. <\/p>\n\n\n\n
The easiest, fastest, and most secure way to do this is through a built-in integration between the IT and HRIS tools<\/a> being used. In this scenario, the identity created in the HRIS tool is automatically imported into the IT software through the integration. <\/p>\n\n\n\n
Once imported, the role associated with the identity in the HR software tells the IT tool what access needs to be provisioned. This is often done via groups<\/a> that have certain access to resources provisioned to them, so when a new identity becomes associated with a group, the proper access is immediately assigned.<\/p>\n\n\n\n
In all other scenarios without this useful integration, this phase of identity lifecycle management is much more difficult and time-consuming. In this case, HR and IT need to be in communication about when a user starts, what their role is, and what access they need. Then, come day one of their employment, HR and IT need to quickly create separate but mirrored identities in each tool. <\/p>\n\n\n\n
After that, IT needs to manually provision access to each resource needed for that employee\u2019s role while also ensuring that the principle of least privilege access<\/a> is followed, but that enough access is provisioned for that employee to be productive right away. If multiple new employees are being welcomed on the same day, managing onboarding gets exponentially more difficult and tedious, significantly increasing the chances for human error to occur. <\/p>\n\n\n\n
The other primary identity lifecycle management task that needs to happen during onboarding is email creation. The new employee\u2019s email address will be an important identifier moving forward, so it needs to follow the specific naming conventions that your organization adheres to. This email address will need to be set up in order for resource access to be granted appropriately.<\/p>\n\n\n\n
While there are many other tasks that fall under the scope of onboarding<\/a>, those tasks are not specific to identity lifecycle management.<\/p>\n\n\n\n
The third phase of the identity lifecycle management process involves a few different but related tasks: <\/p>\n\n\n\n
To fully understand how these tasks are related, think about it this way: <\/p>\n\n\n\n
Constant access monitoring allows you to be aware of who has access to what and why, and to see and respond to security events in a timely manner.<\/em><\/p>\n\n\n\n
Reporting on the access that you\u2019re already aware of allows you to prove compliance and complete audits with fewer unexpected hiccups along the way.<\/em><\/p>\n\n\n\n
And, staying on top of access maintenance allows you to remain secure and compliant as access needs change.<\/em><\/p>\n\n\n\n\n
\n <\/p>\n
\n A holistic solution for event logging, analysis, and reporting is an identity governance and administration (IGA) tool. <\/p>\n <\/div>\n
While initial access rights are given during onboarding, ongoing access monitoring and maintenance is a valuable way to prevent privilege creep. As individuals change roles and gain new or let go of certain responsibilities, the access needs of users change. It\u2019s essential to stay on top of this maintenance to keep your org secure and compliant. Learn more about privilege creep and addressing other challenges with identity lifecycle management<\/a>.<\/p>\n\n\n\n
The final phase of identity lifecycle management is offboarding. Proper offboarding is essential for maintaining security across your organization, because ex-employees that retain access to any<\/em> of your resources are a threat. To mitigate this potential threat, IT must revoke access and deprovision identities in a timely, complete, and secure manner. <\/p>\n\n\n\n
Let\u2019s go back to the two scenarios highlighted in the onboarding section: scenario 1 involves a smooth integration between HR and IT tools, and scenario 2 has a lack thereof.<\/p>\n\n\n\n
With a modern HR and IT tool integration, the departing employee\u2019s digital identity is removed or suspended within the HR software. This action then prompts the connected directory to also revoke that identity, as well as all of the access provisioned to it. When HR and IT tools are connected, offboarding becomes seamless, quick, and secure. <\/p>\n\n\n\n
Now, both HR and IT need to do one final check to ensure that all offboarding boxes have been checked, and nothing has been overlooked.<\/p>\n\n\n\n
However, without a seamless connection between HR and IT software, offboarding can be an inefficient and insecure process. HR is likely the first department to find out an employee is departing, so they\u2019ll revoke or suspend the identity when it\u2019s appropriate. However, IT may not find out about the departure in a timely manner, which leaves departed users with access to company resources that might include sensitive information. Improper offboarding<\/a> like this can pose huge security risks for your organization.<\/p>\n\n\n\n
Another important part of the identity lifecycle management process is the management of external and guest identities. Many organizations deal with this because they employ contractors or seasonal workers, or because they need a way to manage partner and vendor identities. These external identities often need to exist in the organization\u2019s infrastructure to promote smooth collaboration and simplify access management across the board.<\/p>\n\n\n\n
While the ILM process for external and guest identities is very similar to that of internal, long-term employees, there\u2019s an increased need for an identity suspension functionality<\/a> in the directory being used. This is because these identities are revoked and created, or re-created, far more often than those of internal employees. When IT is able to simply suspend an identity, automatically revoking access until the suspension is removed, it\u2019s much easier to manage external and guest identities and access.<\/p>\n\n\n\n
JumpCloud\u2019s open directory platform simplifies identity lifecycle management across all of your internal and external identities. Not only does it provide you with one location to remotely manage identities and access on Windows, macOS, and Linux devices, but it also integrates smoothly with your HRIS platform of choice<\/a>.<\/p>\n\n\n\n
Use these capabilities to easily manage identities and provision and deprovision access via SAML SSO, JIT provisioning, and SCIM. From there, use JumpCloud Insights<\/a> to monitor and log events across all identities.<\/p>\n\n\n\n\n
\n <\/p>\n
\n Use JumpCloud to ensure that your identity lifecycle management process is efficient, secure, and complete. <\/p>\n <\/div>\n
See what steps make up the identity lifecycle management process and how JumpCloud can help simplify and secure it in your org.<\/p>\n","protected":false},"author":143,"featured_media":69017,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"collection":[],"platform":[],"funnel_stage":[3016],"coauthors":[2533],"acf":[],"yoast_head":"\n